CN105792194B - Authentication method, authentication device, the network equipment, the Verification System of base station legitimacy - Google Patents

Authentication method, authentication device, the network equipment, the Verification System of base station legitimacy Download PDF

Info

Publication number
CN105792194B
CN105792194B CN201610262056.3A CN201610262056A CN105792194B CN 105792194 B CN105792194 B CN 105792194B CN 201610262056 A CN201610262056 A CN 201610262056A CN 105792194 B CN105792194 B CN 105792194B
Authority
CN
China
Prior art keywords
base station
terminal
result
decrypted
random code
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610262056.3A
Other languages
Chinese (zh)
Other versions
CN105792194A (en
Inventor
张伦泳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN201610262056.3A priority Critical patent/CN105792194B/en
Publication of CN105792194A publication Critical patent/CN105792194A/en
Application granted granted Critical
Publication of CN105792194B publication Critical patent/CN105792194B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The present invention provides authentication method, authentication device, the network equipment, the Verification System of a kind of base station legitimacy, belong to field of communication technology, can solve the problems, such as existing terminal not can guarantee when accessing a certain mobile network the network actually accessed identity it is whether true.The authentication method of base station legitimacy of the invention, comprising: receive the position updating request that terminal is sent, the position updating request includes the first random code that the terminal generates;First random code is encrypted, the first encrypted result is generated;First encrypted result is sent to terminal, obtains the first decrypted result so that first encrypted result is decrypted in the terminal, and authenticate to first base station according to the first decrypted result.

Description

Authentication method, authentication device, the network equipment, the Verification System of base station legitimacy
Technical field
The invention belongs to fields of communication technology, and in particular to a kind of authentication method of base station legitimacy, authentication device, network Equipment, Verification System.
Background technique
" pseudo-base station " i.e. false base station, equipment are generally made of host and laptop, are sent out by sending short messages in groups device, short message The relevant devices such as letter machine can search the terminal card information taken centered on it, within the scope of certain radius, pass through the operator that disguises oneself as Base station, falsely use other people termination numbers and send the short messages such as swindle, ad promotions to user terminal by force.
Currently, pseudo-base station phenomenon is generally existing, great negative effect is caused to numerous terminal users.There is this ask The basic reason of topic is that terminal is not verified the legitimacy of network at access to mobile network (such as GSM network), i.e., only There is the network coverage, terminal is with regard to the strongest base station of default choice signal and attempts access movement.In this case, except non-network Side refusal, otherwise terminal can be directly accessed network, but this way cannot be guaranteed that the identity of the practical network accessed of terminal is It is no true.
Summary of the invention
The present invention not can guarantee the identity of the network actually accessed for existing terminal when accessing a certain mobile network Whether true problem, provide a kind of terminal when accessing a certain mobile network, the legitimacy of network verified, to keep away Exempt from authentication method, device, the system of terminal access pseudo-base station and the base station legitimacy of bring adverse consequences.
Solve the authentication method that technical solution used by present invention problem is a kind of base station legitimacy, comprising:
Receive the position updating request that terminal is sent, the position updating request include the terminal generate it is first random Code;
First random code is encrypted, the first encrypted result is generated;
First encrypted result is sent to terminal, so that first encrypted result is decrypted in the terminal First decrypted result out, and first base station is authenticated according to the first decrypted result.
Wherein, described that first random code is encrypted, generating the first encrypted result includes:
Extract the first random code in the position updating request;
Certificate of utility private key is digitally signed first random code, generates the first encrypted result.
Wherein, the terminal is decrypted first encrypted result and obtains the first decrypted result, and according to the first solution Close result carries out certification to first base station
The terminal is decrypted first encrypted result by pre-stored CertPubKey, generates the first decryption As a result, first decrypted result includes the first random code after decryption;
The first random code after the first random code and the decryption in the terminal position updating request is It is no identical;
If the first random code in the position updating request is identical as the first random code after the decryption, the terminal Confirm that the first base station is legitimate base station;If first after the first random code and the decryption in the position updating request Random code is different, and first base station described in the terminal check is illegal base station.
Wherein, first encrypted result is sent to terminal described, so that the terminal ties first encryption Fruit, which is decrypted, obtains the first decrypted result, and after being authenticated according to the first decrypted result to first base station, further includes:
Random symmetric key is generated, and is added by random symmetric key described in pre-stored terminal authentication key pair It is close, generate the second encrypted result;
The terminal is decrypted by the second encrypted result described in pre-stored terminal authentication key pair, generates second Decrypted result, second decrypted result include the random symmetric key;
The first base station finds that the terminal will to the first base station using the received random symmetric key Into the second base station coverage area when the second random code for generating encrypted, generate third encrypted result, and by described the Three encrypted results are sent to the terminal, so that the terminal is using the random symmetric key in the second decrypted result to institute It states third encrypted result to be decrypted, generates third decrypted result, the third decrypted result includes second random code;
The first base station is by second random code, the random symmetric key and pre-stored international mobile subscriber Identification code is sent to the second base station;
After the coverage area that the terminal enters second base station, the terminal is sent to second base station to be connected Request is connect, the connection request includes the international mobile subscriber identity of the terminal;
The international mobile subscriber identity in connection request that second base station is sent according to the terminal, inquiry and institute State corresponding second random code of international mobile subscriber identity and the random symmetric key;
Second base station using the random symmetric key to the identity information of the first base station and described second with Machine code is encrypted, and the 4th encrypted result is generated, and the 4th encrypted result is sent to the terminal, so that the terminal 4th encrypted result is decrypted, obtains the 4th decrypted result, and carry out to the second base station according to the 4th decrypted result Certification.
The 4th encrypted result is decrypted in the terminal, obtains the 4th decrypted result, and tie according to the 4th decryption Fruit carries out certification to the second base station
The terminal is decrypted the 4th encrypted result using the random symmetric key, generates the 4th decryption knot Fruit;
The terminal detect the 4th decrypted result whether include first base station identity information and the second random code;
If the 4th decrypted result include the first base station identity information and second random code, described in certification Second base station is legitimate base station;If the 4th decrypted result do not include the first base station identity information or described second with Machine code, authenticating second base station is illegal base station.
As another technical solution, the present invention also provides a kind of authentication devices of base station legitimacy, comprising:
Receiving module, for receiving the position updating request of terminal transmission, the position updating request includes the terminal The first random code generated;
Processing module generates the first encrypted result for first random code to be encrypted;
Sending module, for first encrypted result to be sent to terminal, so that the terminal is to first encryption As a result it is decrypted and obtains the first decrypted result, and first base station is authenticated according to the first decrypted result.
Wherein, the processing module includes:
Extraction module, for extracting the first random code in the position updating request;
Encrypting module, certificate of utility private key are digitally signed first random code, generate the first encrypted result.
Wherein, the authentication device of the base station legitimacy further includes generation module;
The generation module, for generating random symmetric key;
The encrypting module is also used to be added by random symmetric key described in pre-stored terminal authentication key pair It is close, generate the second encrypted result.
As another technical solution, the present invention also provides a kind of network equipments, including base station described in above-mentioned any one The authentication device of legitimacy.
As another technical solution, the present invention also provides a kind of Verification Systems of base station legitimacy, comprising: the network equipment, Terminal and first base station;
The network equipment is the above-mentioned network equipment;
The terminal solves first encrypted result by pre-stored CertPubKey for the terminal It is close, the first decrypted result is generated, first decrypted result includes the first random code after decryption;Compare the location updating to ask Whether the first random code after the first random code and the decryption asked is identical;If in the position updating request first with Machine code is identical as the first random code after the decryption, confirms that the first base station is legitimate base station;If the location updating is asked The first random code asked is different from the first random code after the decryption, confirms that the first base station is illegal base station.
Wherein, the Verification System of the base station legitimacy further includes the second base station;
The first base station, for finding the terminal to the first base station using the received random symmetric key The second random code for generating is encrypted when will enter the coverage area of the second base station, generates third encrypted result, and by institute It states third encrypted result and is sent to the terminal, so that the terminal utilizes the random symmetric key in the second decrypted result The third encrypted result is decrypted, third decrypted result is generated, the third decrypted result includes described second random Code;Second random code, the random symmetric key and pre-stored international mobile subscriber identity are sent to second Base station;
The terminal is also used to be decrypted by the second encrypted result described in pre-stored terminal authentication key pair, The second decrypted result is generated, second decrypted result includes the random symmetric key;Enter described second in the terminal After the coverage area of base station, the second base station Xiang Suoshu sends connection request, and the connection request includes the world of the terminal Mobile identification number;The 4th encrypted result is decrypted using the random symmetric key, generates the 4th decryption knot Fruit;Detect the 4th decrypted result whether include first base station identity information and the second random code;If the 4th decrypted result Identity information and second random code including the first base station, authenticating second base station is legitimate base station;If described 4th decrypted result does not include the identity information of the first base station or second random code, certification second base station are non- Method base station;
Second base station, the international mobile subscriber identity in connection request for being sent according to the terminal, is looked into Ask second random code corresponding with the international mobile subscriber identity and the random symmetric key;Using described random Symmetric key encrypts the identity information of the first base station and second random code, generates the 4th encrypted result, and 4th encrypted result is sent to the terminal, so that the 4th encrypted result is decrypted in the terminal, is obtained 4th decrypted result, and the second base station is authenticated according to the 4th decrypted result.
The authentication method of base station legitimacy of the invention, device, in system, the authentication method of the base station legitimacy, comprising: The position updating request that terminal is sent is received, position updating request includes the first random code that terminal generates, to the first random code It is encrypted, generates the first encrypted result, the first encrypted result is sent to terminal, so that terminal is to the first encrypted result It is decrypted and obtains the first decrypted result, and first base station is authenticated according to the first decrypted result.This method passed through at end It holds in the position updating request sent and adds the first random code, be back to terminal after which is encrypted, When the first random code after the decryption only obtained after terminal deciphering is consistent with the first random code in position updating request, Certification the terminal base station network to be accessed be it is legal, not can guarantee so as to avoid terminal when accessing a certain mobile network The whether true problem of the identity of the network actually accessed, at the same also avoid because terminal access pseudo-base station due to bring it is bad after Fruit.
Detailed description of the invention
Fig. 1 is the flow diagram of the authentication method of the base station legitimacy of the embodiment of the present invention 1;
Fig. 2 is the flow diagram of the authentication method of the base station legitimacy of the embodiment of the present invention 2;
Fig. 3 is the structural schematic diagram of the authentication device of the base station legitimacy of the embodiment of the present invention 3;
Fig. 4 is the structural schematic diagram of the Verification System of the base station legitimacy of the embodiment of the present invention 5;
Wherein, appended drawing reference are as follows: 1, receiving module;2, processing module;21, extraction module;22, encrypting module;3, it sends Module;4, generation module;10, the network equipment;20, terminal;30, first base station;40, the second base station.
Specific embodiment
Technical solution in order to enable those skilled in the art to better understand the present invention, with reference to the accompanying drawing and specific embodiment party Present invention is further described in detail for formula.
Embodiment 1:
Fig. 1 is please referred to, the present embodiment provides a kind of authentication methods of base station legitimacy, comprising:
Step 101, the network equipment receives the position updating request that terminal is sent, and position updating request includes what terminal generated First random code.
Wherein, the network equipment refers to home location register/Authentication Center (HLR/AUC).It should be noted that the position It updates request and is sent by terminal by first base station, wherein first base station stores the position updating request.
First random code is generated by terminal, specifically, an application program (or software) can be arranged in the terminal, pass through The mode that random function and random number seed is arranged generates the first random code, and the first random code is put into agreement station after generating, By occupying in the position updating request in the MAP signaling that 2G/3G network uses or the Diameter signaling that 4G network uses Extended field is sent by terminal.
After receiving position updating request, there are two types of selections, the first is that existing subscriber identity authentication is first carried out Process after subscriber identity authentication passes through, then handles the first random code and (if subscriber identity authentication fails, ignores the One random code);Second is first to handle the first random code, rear to execute subscriber identity authentication process.In the present embodiment, with second It is illustrated for kind mode.
Step 102, the first random code is encrypted in the network equipment, generates the first encrypted result.Specifically,
Step 1021, the network equipment extracts the first random code in position updating request.
Step 1022, network equipment certificate of utility private key is digitally signed the first random code, generates the first encryption knot Fruit.
It is understood that the process being digitally signed is actually primary encryption process, i.e. certificate of utility private key First random code is encrypted, the first encrypted result is generated.
Step 103, the first encrypted result is sent to terminal by the network equipment, so that terminal solves the first encrypted result It is close to obtain the first decrypted result, and first base station is authenticated according to the first decrypted result.Specifically,
Step 1031, terminal is decrypted the first encrypted result by pre-stored CertPubKey, generates the first solution It is close as a result, the first decrypted result include decryption after the first random code.
It should be noted that the pre-stored CertPubKey is that operator is stored in advance in SIM card, therefore, often A pre-stored CertPubKey is all unique.Since operator is to the pre-stored CertPubKey in each SIM card There is record, therefore, when certificate of utility private key is digitally signed the first random code, the certificate and private key and transmission location updating In the SIM card of the terminal of request pre-stored CertPubKey be pairing, with allow the terminal to the first encrypted result into Row decryption.
Step 1032, terminal comparison position update request in the first random code and decryption after the first random code whether phase Together.
Step 1033, if the first random code in position updating request is identical as the first random code after decryption, confirmation the One base station is legitimate base station;If the first random code in position updating request and the first random code after decryption are different, the is confirmed One base station is illegal base station.
That is, the first random code after the first random code and first time decryption in position updating request is compared, if It is consistent with the first random code in the position updating request that terminal issues that the first obtained random code is decrypted for the first time, then illustrates end End is connected to the home location register (HLR) of the terminal really, and due to using between base station-mobile switch-HLR Be fixed line connection, thus, it is possible to confirm the currently attached first base station of the terminal must be it is legal, allow It is connect with the first base station;Conversely, if being decrypted in the position updating request that the first obtained random code and terminal issue for the first time The first random code it is inconsistent, then confirm first base station be illegal base station, refusal connect with first base station, re-start base station select It selects, i.e. execution step 101, details are not described herein.
At this point, executing subscriber identity authentication process after confirmation first base station is legitimate base station, complete to test with terminal Normal communication can be carried out after the completion of card operation, this step is same as the prior art, and details are not described herein.It should be noted that It is authenticated according to legitimacy of the first method to first base station, terminal and network has been completed in step 1033 Two-way authentication can carry out normal communication.
It is understood that third base station uses and listens to mode, in advance for a certain pseudo-base station (abbreviation third base station) It recorded a large amount of binary group, which includes being sent to the first random code plaintext of network side by terminal and returning from network The first random code ciphertext, when terminal enters in the coverage area of third base station, terminal to network launch position update, No matter whether third base station knows the corresponding number of terminal, since terminal can generate a new random code at this time, so, third The binary group recorded before base station is necessarily invalid, and terminal will not access third base station.
The authentication method of the base station legitimacy of the present embodiment, comprising: receive the position updating request that terminal is sent, position is more New request includes the first random code that terminal generates, and the first random code is encrypted, and generates the first encrypted result, by the One encrypted result is sent to terminal, obtains the first decrypted result so that the first encrypted result is decrypted in terminal, and according to One decrypted result authenticates first base station.This method is random by adding first in the position updating request that terminal is sent Code, is back to terminal after which is encrypted, first after the decryption only obtained after terminal deciphering When random code is consistent with the first random code in position updating request, it is legal for just authenticating the terminal base station network to be accessed , whether the identity that not can guarantee the network actually accessed when accessing a certain mobile network so as to avoid terminal really asks Topic, while also avoiding bring adverse consequences due to terminal accesses pseudo-base station.
Embodiment 2:
Referring to figure 2., the present embodiment provides a kind of authentication methods of base station legitimacy, with similar to Example 1 Process, the difference from embodiment 1 is that, it further include authenticating whether the second base station closes by the legal first base station authenticated The step of method.Specifically,
First encrypted result is being sent to terminal, is obtaining the first decryption so that the first encrypted result is decrypted in terminal As a result, and first base station is authenticated according to the first decrypted result (i.e. after step 103), further includes:
Step 201, the network equipment generate random symmetric key, and by pre-stored terminal authentication key (Ki) to Machine symmetric key is encrypted, and the second encrypted result is generated.
It should be noted that the pre-stored Ki is that operator is stored in advance in SIM card, it is therefore, each preparatory The Ki of storage is unique.Since there is record in operator to the pre-stored Ki in each SIM card, Ke Yiyong Pre-stored Ki encrypts random symmetric key, so that terminal can be decrypted with the Ki in its SIM card.
Step 202, the second encrypted result is sent to terminal by the network equipment, so that terminal is by pre-stored Ki to the Two encrypted results are decrypted, and generate the second decrypted result, the second decrypted result includes random symmetric key.
Since the second encrypted result is generated using Ki, terminal necessarily also can use and be stored in advance in SIM card In Ki the second encrypted result is decrypted, that is, encrypt and decrypt password be consistent.
Step 203, random symmetric key is sent to first base station by the network equipment.
It should be noted that unlike terminal, after the random symmetric key that first base station receives not is encryption As a result, but the plaintext of the random symmetric key without encryption.
Step 204, first base station discovery terminal will enter the coverage area of the second base station, generate the second random code.
What due to each base station, it was covered is limited in scope, terminal can not be always in the range of base station covering Whether interior activity is legitimate base station to authenticate the second base station that the terminal will access, when first base station discovery terminal will When leaving the range of first base station covering, the second random code can be generated.
Step 205, first base station encrypts the second random code using received random symmetric key, generates third and adds It is close as a result, and third encrypted result is sent to terminal so that terminal utilizes the random symmetric key pair in the second decrypted result Third encrypted result is decrypted, and generates third decrypted result, and third decrypted result includes the second random code.
Terminal can store the second random code after being decrypted to obtain the second random code to third encrypted result.
Step 206, first base station identifies the second random code, random symmetric key and pre-stored international mobile subscriber Code (IMSI) is sent to the second base station.
It should be noted that the second random code referred herein, random symmetric key are all in plain text, without encryption, IMSI It is that operator is stored in advance in the SIM card of terminal, i.e., the second base station can find corresponding terminal according to IMSI.
Step 207, after the coverage area that terminal enters the second base station, terminal sends connection request to the second base station, Connection request includes the IMSI of terminal.
Step 208, the IMSI in connection request that the second base station is sent according to terminal, inquiry corresponding with IMSI second with Machine code and random symmetric key.
Since in step 206, IMSI and the second random code, random symmetric key are sent together by first base station, Therefore, the second base station is on the basis of learning IMSI, can inquire the second random code sent together with the IMSI, random Symmetric key.
Step 209, the second base station carries out the identity information of first base station and the second random code using random symmetric key Encryption generates the 4th encrypted result, and the 4th encrypted result is sent to terminal.
Step 210, terminal is decrypted the 4th encrypted result using random symmetric key, generates the 4th decrypted result, Detect the 4th decrypted result whether include first base station identity information and the second random code;If the 4th decrypted result includes first The identity information of base station and the second random code, the second base station of certification are legitimate base station;If the 4th decrypted result does not include the first base The identity information stood or the second random code, the second base station of certification are illegal base station.Specifically,
Step 2101, terminal is decrypted the 4th encrypted result using random symmetric key, generates the 4th decrypted result.
Step 2102, terminal detect the 4th decrypted result whether include first base station identity information and the second random code.
Step 2103, if the 4th decrypted result includes the identity information and the second random code of first base station, the second base is authenticated It stands as legitimate base station;If the 4th decrypted result does not include the identity information or the second random code of first base station, the second base station is authenticated For illegal base station.
That is, terminal detect the 4th decrypted result whether include first base station identity information and the second random code, if this The identity information of first base station in four decrypted results and the second random code, the second base station of certification are legitimate base station, allow to access Second base station;If the 4th decrypted result does not include the identity information or the second random code of first base station, the second base station of certification is non- Method base station, the second base station of refusal access.
It is understood that for a certain pseudo-base station (abbreviation third base station), when terminal enters the covering model of third base station When enclosing interior, terminal carries out the switching between base station, due to not having connection relationship between third base station and first base station, because This, third base station will not obtain the second random code that random symmetric key and first base station generate from legal first base station, i.e., Third base station is set to listen to the second random number ciphertext (third encrypted result) that first base station issues terminal, since the second base station is sent out Give terminal be first base station identity identification information and the second random code splicing after using random symmetric key encrypt it is close Literary (the 4th encrypted result), and third base station can not voluntarily generate this ciphertext in the case where no random symmetric key, because This, can not connect with terminal.
The authentication method of the base station legitimacy of the present embodiment, using having authenticated the first base station for legitimate base station to the second base The legitimacy stood is authenticated, and using the key generated at random, passes through exchanging user data direct between base station and base station and end Encryption data is exchanged between end, can be avoided pseudo-base station record in advance it is a large amount of forge keys and encryption data is listened to or The mode of interception obtains base station authentication data, not can guarantee practical access when accessing a certain mobile network so as to avoid terminal Network the whether true problem of identity, while also avoiding bring adverse consequences due to terminal accesses pseudo-base station.
Embodiment 3:
Referring to figure 3., the present embodiment provides a kind of authentication devices of base station legitimacy, comprising: receiving module 1, processing mould Block 2, sending module 3 and generation module 4.
Receiving module 1 is used to receive the position updating request of terminal transmission, and position updating request includes that terminal generates One random code.
Processing module 2 generates the first encrypted result for the first random code to be encrypted.
Wherein, processing module 2 includes: extraction module 21 and encrypting module 22.
Extraction module 21 is used to extract the first random code in position updating request.
22 certificate of utility private key of encrypting module is digitally signed the first random code, generates the first encrypted result.
Encrypting module 22 is also used to encrypt random symmetric key by pre-stored Ki, generates the second encryption knot Fruit.
Sending module 3 is used to the first encrypted result being sent to terminal, so that the first encrypted result is decrypted in terminal It obtains the first decrypted result, and first base station is authenticated according to the first decrypted result.
Generation module 4 is for generating random symmetric key.
The authentication device of the base station legitimacy of the present embodiment, for realizing the base station legitimacy of embodiment 1 or embodiment 2 Authentication method, detailed description please refer to the authentication method of the base station legitimacy of embodiment 1 or embodiment 2, and details are not described herein.
The authentication device of the base station legitimacy of the present embodiment, can be avoided terminal can not protect when accessing a certain mobile network Confirm the whether true problem of the identity of the network of border access, while it is bad to also avoid bring due to terminal accesses pseudo-base station Consequence.
Embodiment 4:
A kind of network equipment is present embodiments provided, the authentication device including base station legitimacy described in embodiment 3.
The network equipment of the present embodiment, the authentication device of the base station legitimacy including embodiment 3, detailed description please refer to reality The authentication device of the base station legitimacy of example 3 is applied, details are not described herein.
The network equipment of the present embodiment, the authentication device of the base station legitimacy including embodiment 3 can be avoided terminal and connecing It not can guarantee the identity of the network actually accessed whether true problem when entering a certain mobile network, while also avoiding because of terminal Access pseudo-base station and bring adverse consequences.
Embodiment 5:
Referring to figure 4., a kind of Verification System of base station legitimacy is present embodiments provided, comprising: the network equipment 10, terminal 20, first base station 30 and the second base station 40;
The network equipment 10 is the network equipment of embodiment 4.
Terminal 20 generates the first decryption knot for the first encrypted result to be decrypted by pre-stored CertPubKey Fruit, the first decrypted result include the first random code after decryption;After comparison position updates the first random code and decryption in request The first random code it is whether identical;If the first random code in position updating request is identical as the first random code after decryption, really Recognizing first base station 30 is legitimate base station;If the first random code in position updating request is different from the first random code after decryption, Confirmation first base station 30 is illegal base station.
First base station 30 is used to that second will to be entered to first base station discovery terminal 20 using received random symmetric key The second random code generated when the coverage area of base station 40 is encrypted, and generates third encrypted result, and by third encrypted result It is sent to terminal, so that terminal is decrypted third encrypted result using the random symmetric key in the second decrypted result, it is raw At third decrypted result, third decrypted result includes the second random code;By the second random code, random symmetric key and it is stored in advance IMSI be sent to the second base station 40.
Terminal 20 is also used to that the second encrypted result is decrypted by pre-stored Ki, generates the second decrypted result, Second decrypted result includes random symmetric key;After terminal 20 enters the second base station, connection is sent to the second base station 40 and is asked It asks, connection request includes the IMSI of terminal;The 4th encrypted result is decrypted using random symmetric key, generates the 4th decryption As a result;Detect the 4th decrypted result whether include first base station identity information and the second random code;If the 4th decrypted result packet The identity information and the second random code of first base station 30 are included, the second base station 40 of certification is legitimate base station;If the 4th decrypted result is not Identity information or the second random code including first base station 30, the second base station 40 of certification are illegal base station.
The IMSI in connection request that second base station 40 is used to be sent according to terminal 20, inquire corresponding with IMSI second with Machine code and random symmetric key;The identity information of first base station 30 and the second random code are added using random symmetric key It is close, the 4th encrypted result is generated, and the 4th encrypted result is sent to terminal 20, so that terminal 20 carries out the 4th encrypted result Decryption, obtains the 4th decrypted result, and authenticate to the second base station 40 according to the 4th decrypted result.
The Verification System of the base station legitimacy of the present embodiment, the network equipment including embodiment 4, detailed description please refer to reality The network equipment of example 4 is applied, details are not described herein.
The Verification System of the base station legitimacy of the present embodiment, can be avoided terminal can not protect when accessing a certain mobile network Confirm the whether true problem of the identity of the network of border access, while it is bad to also avoid bring due to terminal accesses pseudo-base station Consequence.
It is understood that the principle that embodiment of above is intended to be merely illustrative of the present and the exemplary implementation that uses Mode, however the present invention is not limited thereto.For those skilled in the art, essence of the invention is not being departed from In the case where mind and essence, various changes and modifications can be made therein, these variations and modifications are also considered as protection scope of the present invention.

Claims (6)

1. a kind of authentication method of base station legitimacy characterized by comprising
The network equipment receives the position updating request that terminal is sent by first base station, and the position updating request includes the end Hold the first random code generated;
First random code is encrypted in the network equipment, generates the first encrypted result;
First encrypted result is sent to terminal by the network equipment, for the terminal to first encrypted result into Row decryption obtains the first decrypted result, and is authenticated according to the first decrypted result to first base station;
First encrypted result is sent to terminal in the network equipment, so that the terminal is to first encrypted result It is decrypted and obtains the first decrypted result, and after being authenticated according to the first decrypted result to first base station, further includes:
After confirmation first base station is legitimate base station, the network equipment generates random symmetric key, and by pre-stored Random symmetric key described in terminal authentication key pair is encrypted, and the second encrypted result is generated;The terminal is by being stored in advance Terminal authentication key pair described in the second encrypted result be decrypted, generate the second decrypted result, the second decrypted result packet Include the random symmetric key;
The first base station finds that the terminal will enter to the first base station using the received random symmetric key The second random code generated when the coverage area of the second base station is encrypted, and generates third encrypted result, and the third is added Close result is sent to the terminal, so that the terminal is using the random symmetric key in the second decrypted result to described the Three encrypted results are decrypted, and generate third decrypted result, the third decrypted result includes second random code;
The first base station identifies second random code, the random symmetric key and pre-stored international mobile subscriber Code is sent to the second base station;
After the coverage area that the terminal enters second base station, the terminal sends connection to second base station and asks It asks, the connection request includes the international mobile subscriber identity of the terminal;
The international mobile subscriber identity in connection request that second base station is sent according to the terminal, inquiry and the state Corresponding second random code of border mobile identification number and the random symmetric key;
Second base station utilizes identity information and second random code of the random symmetric key to the first base station It is encrypted, the 4th encrypted result is generated, and the 4th encrypted result is sent to the terminal, so that the terminal is to institute It states the 4th encrypted result to be decrypted, obtains the 4th decrypted result, and authenticate to the second base station according to the 4th decrypted result.
2. authentication method according to claim 1, which is characterized in that the network equipment carries out first random code Encryption, generating the first encrypted result includes:
The network equipment extracts the first random code in the position updating request;
The network equipment certificate of utility private key is digitally signed first random code, generates the first encrypted result.
3. authentication method according to claim 2, which is characterized in that the terminal solves first encrypted result It is close to obtain the first decrypted result, and certification is carried out to first base station according to the first decrypted result and includes:
The terminal is decrypted first encrypted result by pre-stored CertPubKey, generates the first decryption knot Fruit, first decrypted result include the first random code after decryption;
The first random code after the first random code and the decryption in the terminal position updating request whether phase Together;
If the first random code in the position updating request is identical as the first random code after the decryption, the terminal check The first base station is legitimate base station;If first after the first random code and the decryption in the position updating request is random Code is different, and first base station described in the terminal check is illegal base station.
4. authentication method according to claim 1, which is characterized in that the terminal solves the 4th encrypted result It is close, obtain the 4th decrypted result, and certification is carried out to the second base station according to the 4th decrypted result and includes:
The terminal is decrypted the 4th encrypted result using the random symmetric key, generates the 4th decrypted result;
The terminal detect the 4th decrypted result whether include first base station identity information and the second random code;
If the 4th decrypted result include the first base station identity information and second random code, certification described second Base station is legitimate base station;If the 4th decrypted result does not include the identity information or described second random of the first base station Code, authenticating second base station is illegal base station.
5. a kind of Verification System of base station legitimacy characterized by comprising the network equipment, terminal and first base station;
The network equipment includes the authentication device of base station legitimacy, and the authentication device of the base station legitimacy includes: reception mould Block, the position updating request sent for receiving terminal by first base station, the position updating request include that the terminal is raw At the first random code;Processing module generates the first encrypted result for first random code to be encrypted;Hair Module is sent, for first encrypted result to be sent to terminal, so that the terminal solves first encrypted result It is close to obtain the first decrypted result, and first base station is authenticated according to the first decrypted result;
The terminal is decrypted first encrypted result by pre-stored CertPubKey for the terminal, raw At the first decrypted result, first decrypted result includes the first random code after decryption;Compare in the position updating request The first random code and the decryption after the first random code it is whether identical;If the first random code in the position updating request It is identical as the first random code after the decryption, confirm that the first base station is legitimate base station;If in the position updating request The first random code it is different from the first random code after the decryption, confirm the first base station be illegal base station;
The authentication device of the base station legitimacy further includes generation module, and the processing module includes encrypting module;
The generation module is used for after confirmation first base station is legitimate base station, generates random symmetric key;
The encrypting module is generated for being encrypted by random symmetric key described in pre-stored terminal authentication key pair Second encrypted result;
The Verification System further includes the second base station;
The first base station, for finding that the terminal will to the first base station using the received random symmetric key Into the second base station coverage area when the second random code for generating encrypted, generate third encrypted result, and by described the Three encrypted results are sent to the terminal, so that the terminal is using the random symmetric key in the second decrypted result to institute It states third encrypted result to be decrypted, generates third decrypted result, the third decrypted result includes second random code;It will Second random code, the random symmetric key and pre-stored international mobile subscriber identity are sent to the second base station;
Second base station, the international mobile subscriber identity in connection request for being sent according to the terminal, inquiry with Corresponding second random code of international mobile subscriber identity and the random symmetric key;Utilize the random symmetric The identity information of first base station described in key pair and second random code are encrypted, and generate the 4th encrypted result, and by institute It states the 4th encrypted result and is sent to the terminal, so that the 4th encrypted result is decrypted in the terminal, obtain the 4th Decrypted result, and the second base station is authenticated according to the 4th decrypted result;
The terminal is also used to be decrypted by the second encrypted result described in pre-stored terminal authentication key pair, generates Second decrypted result, second decrypted result include the random symmetric key;Enter second base station in the terminal Coverage area after, the second base station Xiang Suoshu sends connection request, and the connection request includes that the world of the terminal is mobile CUSTOMER ID;The 4th encrypted result is decrypted using the random symmetric key, generates the 4th decrypted result;Inspection Survey the 4th decrypted result whether include first base station identity information and the second random code;If the 4th decrypted result includes institute The identity information and second random code, certification second base station for stating first base station are legitimate base station;If the 4th solution Close result does not include the identity information of the first base station or second random code, certification second base station are illegal base It stands.
6. the Verification System of base station legitimacy according to claim 5, which is characterized in that the processing module further includes mentioning Modulus block;
The extraction module is used to extract the first random code in the position updating request;
The encrypting module is also used to certificate of utility private key and is digitally signed to first random code, generates the first encryption knot Fruit.
CN201610262056.3A 2016-04-25 2016-04-25 Authentication method, authentication device, the network equipment, the Verification System of base station legitimacy Active CN105792194B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610262056.3A CN105792194B (en) 2016-04-25 2016-04-25 Authentication method, authentication device, the network equipment, the Verification System of base station legitimacy

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610262056.3A CN105792194B (en) 2016-04-25 2016-04-25 Authentication method, authentication device, the network equipment, the Verification System of base station legitimacy

Publications (2)

Publication Number Publication Date
CN105792194A CN105792194A (en) 2016-07-20
CN105792194B true CN105792194B (en) 2019-06-28

Family

ID=56398681

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610262056.3A Active CN105792194B (en) 2016-04-25 2016-04-25 Authentication method, authentication device, the network equipment, the Verification System of base station legitimacy

Country Status (1)

Country Link
CN (1) CN105792194B (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107872793B (en) * 2016-09-26 2021-11-16 中国移动通信有限公司研究院 Base station identification method, terminal and server
CN106454842A (en) * 2016-10-28 2017-02-22 努比亚技术有限公司 Method for preventing disturbance of pseudo base stations and terminal
WO2018137195A1 (en) * 2017-01-25 2018-08-02 华为技术有限公司 Message protection method, user device and core network device
CN106937286B (en) * 2017-03-02 2019-09-17 北京邮电大学 A kind of user access authentication method and device
CN109769250B (en) * 2017-11-09 2022-03-29 中国电信股份有限公司 Method, terminal and system for identifying pseudo base station
CN112335272A (en) * 2018-06-22 2021-02-05 苹果公司 Enhanced security for access stratum transmissions
CN109068320B (en) * 2018-07-18 2021-11-02 深圳市科迈爱康科技有限公司 Base station Internet of things verification method and system based on 5G, computer and storage medium
CN111182548B (en) * 2018-11-09 2021-08-31 华为技术有限公司 Pseudo network equipment identification method and communication device
CN113315632B (en) * 2021-07-29 2021-11-02 北京紫光青藤微系统有限公司 Method, system, device and communication equipment for determining key generator

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1812620A (en) * 2005-01-28 2006-08-02 华为技术有限公司 Method for realizing right discriminating to network by terminal in CDMA network
CN101083843A (en) * 2007-07-17 2007-12-05 中兴通讯股份有限公司 Method and system for confirming terminal identity in mobile terminal communication
CN105101200A (en) * 2014-05-23 2015-11-25 中国移动通信集团公司 Method, apparatus and terminal equipment for identifying pseudo base station

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8855604B2 (en) * 2012-01-06 2014-10-07 National Cheng Kung University Roaming authentication method for a GSM system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1812620A (en) * 2005-01-28 2006-08-02 华为技术有限公司 Method for realizing right discriminating to network by terminal in CDMA network
CN101083843A (en) * 2007-07-17 2007-12-05 中兴通讯股份有限公司 Method and system for confirming terminal identity in mobile terminal communication
CN105101200A (en) * 2014-05-23 2015-11-25 中国移动通信集团公司 Method, apparatus and terminal equipment for identifying pseudo base station

Also Published As

Publication number Publication date
CN105792194A (en) 2016-07-20

Similar Documents

Publication Publication Date Title
CN105792194B (en) Authentication method, authentication device, the network equipment, the Verification System of base station legitimacy
US8467532B2 (en) System and method for secure transaction of data between a wireless communication device and a server
KR101485230B1 (en) Secure multi-uim authentication and key exchange
CN101641976B (en) An authentication method
US6178506B1 (en) Wireless subscription portability
EP3057351B1 (en) Access method, system, and device of terminal, and computer storage medium
CN110192381B (en) Key transmission method and device
CN104244245B (en) A kind of wireless access authentication method, wireless routing device and wireless terminal
CN105554747A (en) Wireless network connecting method, device and system
CN109922474B (en) Method for triggering network authentication and related equipment
CN103139768A (en) Authentication method and authentication device in integrated wireless network
CN107800539A (en) Authentication method, authentication device and Verification System
KR20180095873A (en) Wireless network access method and apparatus, and storage medium
CN105898743B (en) A kind of method for connecting network, apparatus and system
CN103297403A (en) Method and system for achieving dynamic password authentication
CN109890029B (en) Automatic network distribution method of intelligent wireless equipment
US20150208238A1 (en) Terminal identity verification and service authentication method, system and terminal
CN108683690A (en) Method for authenticating, user equipment, authentication device, authentication server and storage medium
CN103974248A (en) Terminal security protection method, device and system in ability open system
CN107026823A (en) Applied to the access authentication method and terminal in WLAN WLAN
CN105141629A (en) Method for improving network security of public Wi-Fi based on WPA/WPA2 PSK multiple passwords
CN101895881A (en) Method for realizing GBA secret key and pluggable equipment of terminal
CN106714158B (en) WiFi access method and device
CN111246464B (en) Identity authentication method, device and system, and computer readable storage medium
CN102685742A (en) WLAN (Wireless Local Area Network ) access authentication method and device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant